A
ApexAegis
OverviewLogs & EventsEndpoint Events
Attack Paths & SegmentsAttack ComparisonAPT SimulationAI/ML & UEBA
SD-WAN OptimizerNetwork Events
Ghosted Apps & Services
Security PoliciesAddressesServicesURL CategoriesCloud ApplicationsCloud App Tenants
ATP ProfilesSSL InspectionDNS FilterWeb FilterDevice Posture
Users & GroupsDevicesIdentity ProvidersPasskey ManagerABAC ControlOAuth 2.0 & API KeysIdP Configuration
Test My DefenceSecurity PreviewAttack Path AnalysisSSL/TLS Scanner
Compliance ReportCertification ReportITSM Automation
Audit & Config MgmtFeature LicensingClient ConfigRoute Policies
Gateway NodesSCION Partner GatewaySDN SwitchesPort Configuration802.1X Auth ServerWireless ManagementDynamic SGTGuest AccessAPI IntegrationsCA CertificatesPolicy MigrationSettings
K

Admin ABAC Control

Attribute-Based Access Control — define fine-grained admin permissions

ABAC policies evaluate subject attributes (role, department, clearance), resource attributes (type, sensitivity), and environment conditions (time, IP, MFA) to make access decisions. Rules are evaluated top-to-bottom — first match wins.
Total Rules: 5Allow: 4Deny: 1

Super Admin Full Access

Full platform access for super administrators

ALLOW
Subject
super-admin
top-secret
Resource
all
Sensitivity: any
Environment
Time: none
IP: any
MFA: Required
Permissions:readwritedeleteadminaudit

Security Admin Policy Mgmt

Security admins can manage policies and profiles but not system settings

ALLOW
Subject
security-admin
secret
Resource
policiesprofilesidentity
Sensitivity: high
Environment
Time: business-hours
IP: 10.0.0.0/8
MFA: Required
Permissions:readwritedelete

Network Admin Gateway Access

Network admins can manage gateways and tunnel configurations

ALLOW
Subject
network-admin
confidential
Resource
gatewaystunnelssdwan
Sensitivity: medium
Environment
Time: none
IP: any
MFA: Required
Permissions:readwrite

Auditor Read-Only

Auditors have read-only access to logs, policies, and reports

ALLOW
Subject
auditor
confidential
Resource
logspoliciesreportsidentity
Sensitivity: any
Environment
Time: business-hours
IP: 10.0.0.0/8
MFA: Not required
Permissions:readaudit

Block External Admin Access

Deny admin actions from non-corporate IPs without MFA

DENY
Subject
any
any
Resource
system-settingsadmin
Sensitivity: critical
Environment
Time: none
IP: external
MFA: Not required
Permissions:writedeleteadmin